npm - dd-trace - Versions diffs - 5.98.0 → 5.99.1 - Mend

dd-trace 5.98.0 → 5.99.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (139) hide show

package/packages/dd-trace/src/appsec/blocking.js CHANGED Viewed

@@ -1,10 +1,16 @@
 'use strict'
+const { LRUCache } = require('../../../../vendor/dist/lru-cache')
 const log = require('../log')
+const web = require('../plugins/util/web')
 const blockedTemplates = require('./blocked_templates')
 const { updateBlockFailureMetric } = require('./telemetry')
-const detectedSpecificEndpoints = {}
+// Bounded by the LRU as defense-in-depth: getSpecificKey already keys on the
+// resolved route (or the path with the query string stripped) so cardinality
+// follows the routing table, not the URL space.
+const SPECIFIC_ENDPOINT_CACHE_MAX = 16_384
+const detectedSpecificEndpoints = new LRUCache({ max: SPECIFIC_ENDPOINT_CACHE_MAX })
 const templateKeyword = '[security_response_id]'
@@ -38,12 +44,18 @@ const specificBlockingTypes = {
   GRAPHQL: 'graphqlJson',
 }
-function getSpecificKey (method, url) {
-  return `${method}+${url}`
+function getSpecificKey (req) {
+  const route = web.getContext(req)?.paths?.join('')
+  if (route) return `${req.method}+${route}`
+  // Strip the query string so unique parameters do not balloon the cache.
+  const url = req.originalUrl || req.url || ''
+  const queryStart = url.indexOf('?')
+  return `${req.method}+${queryStart === -1 ? url : url.slice(0, queryStart)}`
 }
-function addSpecificEndpoint (method, url, type) {
-  detectedSpecificEndpoints[getSpecificKey(method, url)] = type
+function addSpecificEndpoint (req, type) {
+  detectedSpecificEndpoints.set(getSpecificKey(req), type)
 }
 function getBlockWithRedirectData (actionParameters) {
@@ -65,7 +77,7 @@ function getBlockWithContentData (req, specificType, actionParameters) {
   let type
   let body
-  const specificBlockingType = specificType || detectedSpecificEndpoints[getSpecificKey(req.method, req.url)]
+  const specificBlockingType = specificType || detectedSpecificEndpoints.get(getSpecificKey(req))
   if (specificBlockingType) {
     const specificBlockingContent = getTemplate(specificBlockingType, actionParameters)
     type = specificBlockingContent?.type

package/packages/dd-trace/src/appsec/graphql.js CHANGED Viewed

@@ -1,8 +1,8 @@
 'use strict'
-const { storage } = require('../../../datadog-core')
 const log = require('../log')
 const web = require('../plugins/util/web')
+const { getActiveRequest } = require('./store')
 const {
   addSpecificEndpoint,
   specificBlockingTypes,
@@ -33,7 +33,7 @@ function disable () {
 }
 function onGraphqlStartResolve ({ context, resolverInfo }) {
-  const req = storage('legacy').getStore()?.req
+  const req = getActiveRequest()
   if (!req) return
@@ -52,7 +52,7 @@ function onGraphqlStartResolve ({ context, resolverInfo }) {
 }
 function enterInApolloMiddleware (data) {
-  const req = data?.req || storage('legacy').getStore()?.req
+  const req = data?.req || getActiveRequest()
   if (!req) return
   graphqlRequestData.set(req, {
@@ -61,7 +61,7 @@ function enterInApolloMiddleware (data) {
 }
 function enterInApolloServerCoreRequest () {
-  const req = storage('legacy').getStore()?.req
+  const req = getActiveRequest()
   if (!req) return
   graphqlRequestData.set(req, {
@@ -71,19 +71,19 @@ function enterInApolloServerCoreRequest () {
 }
 function enterInApolloRequest () {
-  const req = storage('legacy').getStore()?.req
+  const req = getActiveRequest()
   const requestData = graphqlRequestData.get(req)
   if (requestData) {
     // Set isInGraphqlRequest=true since this function only runs for GraphQL requests
     // This works for both Apollo v4 (middleware) and v5 (HTTP server) contexts
     requestData.isInGraphqlRequest = true
-    addSpecificEndpoint(req.method, req.originalUrl || req.url, specificBlockingTypes.GRAPHQL)
+    addSpecificEndpoint(req, specificBlockingTypes.GRAPHQL)
   }
 }
 function beforeWriteApolloGraphqlResponse ({ abortController, abortData }) {
-  const req = storage('legacy').getStore()?.req
+  const req = getActiveRequest()
   if (!req) return
   const requestData = graphqlRequestData.get(req)

package/packages/dd-trace/src/appsec/index.js CHANGED Viewed

@@ -4,7 +4,6 @@ const log = require('../log')
 const web = require('../plugins/util/web')
 const { extractIp } = require('../plugins/util/ip_extractor')
 const { HTTP_CLIENT_IP } = require('../../../../ext/tags')
-const { storage } = require('../../../datadog-core')
 const { IS_SERVERLESS } = require('../serverless')
 const RuleManager = require('./rule_manager')
 const appsecRemoteConfig = require('./remote_config')
@@ -40,6 +39,7 @@ const Reporter = require('./reporter')
 const appsecTelemetry = require('./telemetry')
 const apiSecuritySampler = require('./api_security_sampler')
 const { isBlocked, block, callBlockDelegation, setTemplates, getBlockingAction } = require('./blocking')
+const { getActiveRequest } = require('./store')
 const UserTracking = require('./user_tracking')
 const graphql = require('./graphql')
 const rasp = require('./rasp')
@@ -116,8 +116,7 @@ function onRequestBodyParsed ({ req, res, body, abortController }) {
   if (body === undefined || body === null) return
   if (!req) {
-    const store = storage('legacy').getStore()
-    req = store?.req
+    req = getActiveRequest()
   }
   const rootSpan = web.root(req)
@@ -258,8 +257,8 @@ function incomingHttpEndTranslator ({ req, res }) {
 }
 function onPassportVerify ({ framework, login, user, success, abortController }) {
-  const store = storage('legacy').getStore()
-  const rootSpan = store?.req && web.root(store.req)
+  const req = getActiveRequest()
+  const rootSpan = req && web.root(req)
   if (!rootSpan) {
     log.warn('[ASM] No rootSpan found in onPassportVerify')
@@ -268,12 +267,12 @@ function onPassportVerify ({ framework, login, user, success, abortController })
   const results = UserTracking.trackLogin(framework, login, user, success, rootSpan)
-  handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)
+  handleResults(results?.actions, req, web.getContext(req)?.res, rootSpan, abortController)
 }
 function onPassportDeserializeUser ({ user, abortController }) {
-  const store = storage('legacy').getStore()
-  const rootSpan = store?.req && web.root(store.req)
+  const req = getActiveRequest()
+  const rootSpan = req && web.root(req)
   if (!rootSpan) {
     log.warn('[ASM] No rootSpan found in onPassportDeserializeUser')
@@ -282,7 +281,7 @@ function onPassportDeserializeUser ({ user, abortController }) {
   const results = UserTracking.trackUser(user, rootSpan)
-  handleResults(results?.actions, store.req, store.req.res, rootSpan, abortController)
+  handleResults(results?.actions, req, web.getContext(req)?.res, rootSpan, abortController)
 }
 function onExpressSession ({ req, res, sessionId, abortController }) {
@@ -308,8 +307,7 @@ function onRequestQueryParsed ({ req, res, query, abortController }) {
   if (!query || typeof query !== 'object') return
   if (!req) {
-    const store = storage('legacy').getStore()
-    req = store?.req
+    req = getActiveRequest()
   }
   const rootSpan = web.root(req)

package/packages/dd-trace/src/appsec/rasp/command_injection.js CHANGED Viewed

@@ -1,8 +1,9 @@
 'use strict'
 const { childProcessExecutionTracingChannel } = require('../channels')
-const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
+const web = require('../../plugins/util/web')
+const { getActiveRequest } = require('../store')
 const waf = require('../waf')
 const { RULE_TYPES, handleResult } = require('./utils')
@@ -27,8 +28,7 @@ function disable () {
 function analyzeCommandInjection ({ file, fileArgs, shell, abortController }) {
   if (!file) return
-  const store = storage('legacy').getStore()
-  const req = store?.req
+  const req = getActiveRequest()
   if (!req) return
   const ephemeral = {}
@@ -46,8 +46,7 @@ function analyzeCommandInjection ({ file, fileArgs, shell, abortController }) {
   const result = waf.run({ ephemeral }, req, raspRule)
-  const res = store?.res
-  handleResult(result, req, res, abortController, config, raspRule)
+  handleResult(result, req, web.getContext(req)?.res, abortController, config, raspRule)
 }
 module.exports = {

package/packages/dd-trace/src/appsec/rasp/lfi.js CHANGED Viewed

@@ -4,7 +4,9 @@ const { isAbsolute } = require('path')
 const { fsOperationStart, incomingHttpRequestStart, expressResponseRenderStart } = require('../channels')
 const { storage } = require('../../../../datadog-core')
+const web = require('../../plugins/util/web')
 const { FS_OPERATION_PATH } = require('../addresses')
+const { getRequest } = require('../store')
 const waf = require('../waf')
 const { enable: enableFsPlugin, disable: disableFsPlugin, RASP_MODULE } = require('./fs-plugin')
 const { RULE_TYPES, handleResult } = require('./utils')
@@ -53,16 +55,18 @@ function analyzeLfiInResponseRender (ctx) {
   const store = storage('legacy').getStore()
   if (!store) return
-  analyzeLfiPath(ctx.view, ctx.req, store.res, ctx.abortController)
+  analyzeLfiPath(ctx.view, ctx.req, web.getContext(ctx.req)?.res, ctx.abortController)
 }
 function analyzeLfi (ctx) {
   const store = storage('legacy').getStore()
-  if (!store) return
+  const fs = store?.fs
+  if (!fs) return
-  const { req, fs, res } = store
-  if (!req || !fs) return
+  const req = getRequest(store)
+  if (!req) return
+  const res = web.getContext(req)?.res
   for (const path of getPaths(ctx, fs)) {
     analyzeLfiPath(path, req, res, ctx.abortController)
   }

package/packages/dd-trace/src/appsec/rasp/sql_injection.js CHANGED Viewed

@@ -6,8 +6,9 @@ const {
   wafRunFinished,
   mysql2OuterQueryStart,
 } = require('../channels')
-const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
+const web = require('../../plugins/util/web')
+const { getActiveRequest } = require('../store')
 const waf = require('../waf')
 const { RULE_TYPES, handleResult } = require('./utils')
@@ -49,10 +50,7 @@ function analyzePgSqlInjection (ctx) {
 }
 function analyzeSqlInjection (query, dbSystem, abortController) {
-  const store = storage('legacy').getStore()
-  if (!store) return
-  const { req, res } = store
+  const req = getActiveRequest()
   if (!req) return
@@ -76,7 +74,7 @@ function analyzeSqlInjection (query, dbSystem, abortController) {
   const result = waf.run({ ephemeral }, req, raspRule)
-  handleResult(result, req, res, abortController, config, raspRule)
+  handleResult(result, req, web.getContext(req)?.res, abortController, config, raspRule)
 }
 function hasInputAddress (payload) {
@@ -91,10 +89,7 @@ function hasAddressesObjectInputAddress (addressesObject) {
 function clearQuerySet ({ payload }) {
   if (!payload) return
-  const store = storage('legacy').getStore()
-  if (!store) return
-  const { req } = store
+  const req = getActiveRequest()
   if (!req) return
   const executedQueries = reqQueryMap.get(req)

package/packages/dd-trace/src/appsec/rasp/ssrf.js CHANGED Viewed

@@ -5,8 +5,9 @@ const {
   httpClientRequestStart,
   httpClientResponseFinish,
 } = require('../channels')
-const { storage } = require('../../../../datadog-core')
 const addresses = require('../addresses')
+const web = require('../../plugins/util/web')
+const { getActiveRequest } = require('../store')
 const waf = require('../waf')
 const downstream = require('../downstream_requests')
 const { updateRaspRuleMatchMetricTags } = require('../telemetry')
@@ -30,8 +31,7 @@ function disable () {
 }
 function analyzeSsrf (ctx) {
-  const store = storage('legacy').getStore()
-  const req = store?.req
+  const req = getActiveRequest()
   const outgoingUrl = (ctx.args.options?.uri && format(ctx.args.options.uri)) ?? ctx.args.uri
   if (!req || !outgoingUrl) return
@@ -50,7 +50,7 @@ function analyzeSsrf (ctx) {
   const result = waf.run({ ephemeral }, req, raspRule)
-  handleResult(result, req, store?.res, ctx.abortController, config, raspRule)
+  handleResult(result, req, web.getContext(req)?.res, ctx.abortController, config, raspRule)
   downstream.incrementDownstreamAnalysisCount(req)
 }
@@ -67,8 +67,7 @@ function handleResponseFinish ({ ctx, res, body }) {
   // downstream response object
   if (!res) return
-  const store = storage('legacy').getStore()
-  const originatingRequest = store?.req
+  const originatingRequest = getActiveRequest()
   if (!originatingRequest) return
   // Skip body analysis for redirect responses